bpftrace

High-level tracing language for Linux eBPF.

TLDR

List all available probes

$ sudo bpftrace -l

Run a one-liner program

$ sudo bpftrace -e 'tracepoint:raw_syscalls:sys_enter { @[comm] = count(); }'

Run a program from file

$ sudo bpftrace [path/to/file]

Trace a program by PID

$ sudo bpftrace -e 'tracepoint:raw_syscalls:sys_enter /pid == 123/ { @[comm] = count(); }'

Dry run and display eBPF output

$ sudo bpftrace -d -e '[one_line_program]'

Display version

$ bpftrace -V

SYNOPSIS

bpftrace [options] [program|file]

bpftrace is a high-level tracing language for Linux eBPF. It provides a powerful scripting interface for kernel and userspace tracing, similar to DTrace on other Unix systems.
Programs can attach to tracepoints, kprobes, uprobes, and other probe types to collect and aggregate data about system behavior in real-time.

PARAMETERS

-l

List available probes

-e program

Execute a one-liner program

-d

Dry run; show compiled eBPF without executing

-p pid

Enable USDT probes for the specified PID

-v

Verbose output

-V, --version

Display version information

CAVEATS

Requires root privileges. Kernel must have eBPF and BTF support enabled. Some probes may not be available on all kernel versions. Performance impact varies by probe type and frequency.

HISTORY

bpftrace was created by Alastair Robertson and first released in 2018. It was inspired by DTrace and aimed to bring similar high-level tracing capabilities to Linux using eBPF.